CH634161A5 - APPARATUS FOR DECIPHERING A NUMBERED MESSAGE AND ITS USE IN A TRANSMISSION INSTALLATION. - Google Patents

Description

The present invention relates to an apparatus for deciphering and frying an encrypted message received by an insecure communication channel according to the preamble of claim 1.

The invention also relates to a use of this device in an installation for transmitting encrypted messages from a sender to a receiver as claimed in claim 3. There are many uses of cryptographic systems which must ensure privacy and authenticity of messages transmitted through unsafe channels. A system ensuring the private nature of messages prevents the extraction of information by unauthorized persons or organizations, in messages transmitted via an insecure channel, so that the sender of a message is sure that it is only read by the intended recipient. An authentication system prevents unauthorized injection of messages into an insecure channel so that the recipient of the message is certain of the quality of the sender.

Currently, the essence of message authentication consists of adding an authentication drawing, known only to the intended sender and receiver, to each message, and encrypting the combination. This 45 measure provides protection against forgery by transmitting new, properly authenticated messages following unauthorized listening, unless the key to the cipher used has also been stolen. However, the protection in the event of disagreement is weak, the disagreement arising so when the sender transmits a suitably authenticated message then denies this transmission and falsely blames the receiver for having taken unauthorized measures. Conversely, the receiver can take an unauthorized action and falsify a message sent to himself and 55 then falsely blame the sender for these actions. The fear of a dispute stems from the absence of a suitable receiving mechanism capable of proving that a particular message has been transmitted to a recipient by a particular sender.

One of the main difficulties presented by existing cryptographic systems is that the sender and the receiver must exchange an encryption key through a secure channel to which an unauthorized person or organization does not have access. The exchange of an encryption key is often carried out 65 by previous shipment of the key via a secure channel, for example private mail or registered shipping; such secure channels are usually slow and expensive.

3

634,161

An article from Diffieetal. "MULTIUSER CRYPTOGRA-PHIC TECHNIQUES", AFIPS - Conference Proceedings, vol. 45, p. 109-112, June 8, 1976 describes the principle of a public key cryptographic system eliminating the need to use a secure channel by making the sender's encryption known to the public. This article also describes how such a public key cryptographic system could allow an authentication allowing the formation of falsifiable messages, according to a digital signature. This article also describes the idea of using two keys E and D for encryption and decryption of a message, E being public information and D being kept secret by the intended recipient. Furthermore, although D is determined by E, the calculation of D from E is impossible. This article suggests the possibilities of implementing such a public key cryptographic system allowing a user to encrypt a message and send it to a intended recipient, but only the intended recipient can decrypt it. Although this article suggests the possibility of the realization of such systems, it does not indicate or prove that such cryptographic systems with public key exist and does not demonstrate the possibility of the realization of such a system.

The aforementioned article suggests three arguments for the plausibility of the existence of public key cryptographic systems: a matrix approach, a machine language approach and a logical statement approach. Although the matrix approach can be implemented with matrices that require a time of cryptographic analysis that can be demonstrated as impractical (that is, the calculation of D from E is impossible) by using known methods, this approach is of no practical use given the enormous dimensions of the matrices required. The machine language approach and the logical survey approach are also suggested, but there is no indication of how to implement them so that they require a cryptographic analysis that can be shown to be impractical.

The article also introduces a procedure using the proposed public key cryptographic systems, allowing the receiver to easily verify the authenticity of a message, but preventing it from forming apparently authenticated messages. The article describes a protocol that must be followed to obtain authentication in a proposed public key cryptographic system. However, the authentication procedure is based on the existence of a public key cryptographic system which is in no way described in the aforementioned article.

The invention aims to make it possible for authorized parties (interlocutors) to participate in a conversation so that they converse privately, even when an unauthorized party (spy) intercepts all communications.

The apparatus according to the invention has the characteristics mentioned in claim 1.

Other advantages of the invention will emerge more clearly from the description which follows, given with reference to the appended drawings in which:

FIG. 1 is a block diagram of a public key cryptographic system, transmitting a cryptogram made secure by calculation operations, by an insecure communication channel.

FIG. 2 is a block diagram of the device for encrypting a message in the form of an encrypted text, using the public key cryptographic system of FIG. 1.

FIG. 3 is a block diagram of a multiplier circuit intended to perform modular multiplications in the decryption device of FIG. 7, the exponential processing circuit of FIG. 10 and the public key generator of FIG. 11.

FIG. 4 is a detailed block diagram of an adder intended to make additions in the encryption device of FIG. 2, the multiplier circuit of FIG. 3 and the public key generator of FIG. 11.

Figure 5 is a detailed diagram of a comparator for comparing amplitudes in the encryption device of Figure 2, the multiplier circuit of Figure 3, the decryption device of Figure 7, the divider circuit of Figure 8 and the variant of the deciphering device of FIG. 9.

FIG. 6 is a detailed block diagram of a subtraction circuit, used in the multiplier circuit of FIG. 3, the deciphering device of FIG. 7 and the division circuit of FIG. 8.

FIG. 7 is a block diagram of a device for deciphering a text encrypted in a message, forming part of the cryptographic system of FIG. 1.

FIG. 8 is a block diagram of a dividing circuit incorporated in the invension circuit of FIG. 7 and in the decryption device of the variant of FIG. 9.

FIG. 9 is a block diagram of an alternative device for deciphering a text encrypted in a message, in the cryptographic system of FIG. 1.

FIG. 10 is an exponential processing circuit, intended to carry various numbers to various powers, according to modulo arithmetic operations in the variant of decryption device of FIG. 9 and the public key generator of FIG. 11.

FIG. 11 is a block diagram of a public encryption key generator of the system of FIG. 1.

FIGS. 12 and 13 respectively represent the algorithm of the logarithmic converter represented in FIG. 11, in the case where p - 1 is a power of 2, and the algorithm for calculating coefficients (bi) - of the expression:

n, - 1

x (mod pn ') = Y. bjpl j = °

with 0 fi bj ^ pi— 1, in the logarithmic converter of figure 11, when p-1 is not a power of 2.

Reference is made to FIG. 1 which represents a public key cryptographic system or assembly in which all the transmissions are carried out by a communication channel 19 which is not secure, for example a telephone line. A communication is carried out by channel 19 which is not secure between sender 11 and a receiver 12, using transceivers 31 and 32 which may be modulator-demodulator modulators 201 "Bell". The sender 11 has an unencrypted or unencrypted message X to communicate to the receiver 12. The sender 11 and the receiver 12 respectively have an encryption device 15 and an information decryption device 16, by setting using a public encryption key E transmitted by line E and a secret decryption key D transmitted by line D. The devices 15 and 16 provide reverse transformations when they receive the corresponding keys E and D For example, keys can be made up of a sequence of numbers or letters arranged randomly. The device 15 encrypts the clear message X in an encrypted message or encrypted text S transmitted by the sender 11 via the channel 19; the encrypted text S is received by the receiver 12 and it is decrypted in the device 16 in the form of a clear message X. An unauthorized party or a spy 13 is supposed to have at his disposal a key generator 23 and a device 18 for decryption, and to have access to channel 19 so

5

10

15

20

25

30

35

40

45

50

55

60

65

634,161

4

that, if he knew the key D, he could decipher the text S and get the message X in clear.

The system described by way of example presents the difficulty of the "bag problem". More simply, given a one-dimensional "bag" of length S and a vector composed of n rods of length ai, ai, ... ai, the problem of the bag is that of determining a subset of sticks filling exactly the bag, if such a subset exists. In an equivalent form, we can consider that we must determine a binary n-vector x formed of 0 and 1 and such that S = a * x, if such x exists (*, referred to vectors, denotes the product scalar, and, applied to scalars, denotes normal multiplication).

A suposed solution x is easily verified in n additions at most; however, in the current state of knowledge, the determination of a solution requires a number of operations which increases exponentially with n. An exhaustive empirical research of the 2 possible values of x is impossible by calculation when n exceeds 100 or 200. A task is considered impossible by calculation if its cost, measured either by the importance of the memories required, or by time of calculation, is finished but has a value so large that it is considered impossible, for example of the order of 105 "operations with the current methods and apparatuses of calculation.

The theory suggests the difficulty of the bag problem since it is a complete problem with N bodies, and it is therefore one of the most difficult calculation problems of a cryptographic nature (as described for example in AV Aho, JE Hopcraft and JD Ullman, THE DESIGN AND ANALYSIS OF COMPUTER ALGO-RITHMS, Reading, Ma .; Addison-Wesley, 1974, p.

363-404). However, its degree of difficulty depends on the selection of parameter a. When a = (1,2,4, ... 2 '"-"), the resolution in x is equivalent to the determination of the binary representation of S. In other words, in a less trivial way, if for all the values of i, we have:

i— 1

a.> £ aj (0

j = l we also easily determine x: xn = 1 if and only if S ^ an and for i = n-1, n-2, ... 1, Xi = 1 if and only if n

S - l_ Xj * aj> ai (2)

j = i + 1

If the components of x can take integer values between 0 and /, condition (1) can be replaced by i-1

ai> / Y ajetxi j = 1

can be determined as the whole part of

^ Y xj * a, aj) / ai.

j = i + 1

The evaluation equation (2) of 5 x, when Xi has binary values, is equivalent to this rule for 1 = 1.

A hatch bag is such that a precise selection of a allows the calculator to easily obtain a solution for any value of x, but prevents any other from determining the solution. Two methods of constructing such a hatch are described, but we first consider with reference to FIG. 1 a description of the use in a public key cryptographic system. The receiver 12 creates a hatch vector a and either places it in a public file or transmits it to the sender 11 via channel 19. The sender 11 represents the message X in plain text in the form of a vector x to n 0 and 1, and calculates S = a * x then transmits S to the receiver 12 through channel 19. The receiver 12 can resolve S to x but this is not possible for the spy 13.

According to a method of forming a hatch bag, the key generator 22 implements random numbers created by a source of key 26 which selects two large integers m and w such that w is invertible modulo m (it is that is, m and w have no common factor apart from 1). For example, source 26 may contain a random number generator which is formed from noisy amplifiers (eg u709 operational amplifiers from "Fairchild") with a polarity detector. The generator 22 has a bag vector a 'which satisfies equation (1) and thus allows the resolution of:

S '= a' * x and transforms the vector a 'which can be easily solved into a hatch vector a by the relation ai = w * a'i mod m

The vector a constitutes the public encryption key E, indicated by the line E and it is placed in a public file or transmitted by channel 19 to the sender 11. The encryption key E is thus available both for the sender 11 and the spy 13. The sender 11 uses the key E equal to a for the creation of the encrypted text S from the clear message X, represented by the vector x, by using the relation S = a * x . However, as the values a, can be distributed in a pseudo-random manner, the spy 13 who knows a but does not have w or m, cannot conceivably solve a problem of the bag implementing a for obtaining the desired message x .

The receiver decryption device 16 knows w, m and a 'in the form of the secret decryption key D and can easily calculate the values:

S '= 1 / w * S mod m (4)

= l / w * Lxi * a. mod m (5)

= l / w * Ex> * w * a'i mod m (6)

= Ixi * a'imodm (7)

If m is chosen so that m> Ia'i (8)

equation (7) implies that S 'is equal to Ix, * a', in integer arithmetic and modulo m. This bag can be easily solved in x which is also the solution of the more difficult problem of the hatch bag S - a * x. The receiver 12 can therefore obtain the clear message X represented by the binary vector x. However, the hatch problem of spy 13 can be made impossible to solve by calculation, so that spy 13 cannot have the message X in plain text.

We now consider an example in which n = 5 to clarify the ideas a little. If m = 8443, a '= (171, 196, 457 1191, 2410) and w = 2550, we have a = (5457, 1663, 216, 6013, 7439). If x = (0.1, 0.1, 1) the encryption device 15 calculates S = 1663 + 6013 + 7439 = 15115. The decryption device 16 implements Euclid's algorithm (see for example the work of D. Knuth, THE ART OF COMPUTER PROGRAMMING, vol II, Addison-Wesley, 1969, Reading, Ma) for the calculation of 1 / w = 3950, and he then calculates:

S '= l / w * S mod m (9)

5

10

15

20

25

30

35

40

45

50

55

60

65

5

634,161

= 3950 * 15115 mod 8443

= 3797

As S '> a'5, the deciphering device 16 determines that X5 = 1. Then, using equation (2) corresponding to the vector a', it determines that X4 = 1, xj = 0, x ? = 1, xi = 0 or x = (0, 1.0, 1.1) which is also the suitable solution of S =

a * x.

Spy 13 who knows neither m nor w nor a 'has many difficulties in solving the equation S = a * x in x although he knows the method used for the creation of the hatch vector a. Its task can be made impossible when n, m, vv and a 'have important values. The task is further complicated by scrambling the order of the components a: and by adding different random multiples of m to each value of a ,.

The example given is of very small dimension and it is only intended to illustrate the implementation of this technique. If n = 100 (which corresponds to the lower end of the useful range in currently high-security systems), in the form of a more reasonable value, we can consider that m is chosen almost uniformly among the numbers between 2201 + 1 and 2202 - 1, a '1 being chosen uniformly in the range (1.2100) a'2 being chosen uniformly in the range (2100 + 1, 2 * 2100), a'3 being chosen uniformly in the range (3 x 2'00 + 1.4 * 2'00, ... and a'i being chosen uniformly in the range ((2-M - 1) * 2I00 + 1, 21-1 * 210) while w 'is chosen so uniformly in the range (2, m — 2) and is divided by the greatest common divisor of (vv', m) so that it forms w.

These selections are such that equation (8) is satisfied and that a spy 13 has at least 2100 possibilities for each parameter and therefore cannot study them all.

The encryption device 15 is shown in FIG. 2. The sequence of integers ai, a2, .. an is presented sequentially in synchronism with the sequential presentation of the 0s and 1s of xi, X2, ... .Xn. The register S 41 is initially set to 0. If x. = 1, the content of register 41 and ai are added by the adder 42 and the result is placed in register 41. If x, = 0, the content of register 41 remains unchanged. In all cases, i is replaced by i + 1 up to i = n, and in this case the encryption operation is completed. The register i 43 is initially set to 0 and progresses by one unit after each cycle of the encryption device. The adder 42 or a special counter can be used to increase the content of the register 43. Within the range of values suggested above, the registers 41 and 43 can each be in the form of a single direct access memory at 1024 bits , for example of the "Intel" type 2102. The adder 42 is described in more detail below, as is the comparator 44 necessary for the comparison of i and n when determining the end of the encryption operation .

The key generator 22 comprises a modulo m multiplier circuit, as shown in FIG. 3, intended to form the expression a. = w * a 'i mod m. The two numbers vv and a 'i to be multiplied are loaded in the registers W and A' 51 and 52 and m is loaded in the register M 53. The product w * a 'i modulo m is formed in the register P 54 which is initially set to 0. When k, the number of bits of the binary representation of m, is equal to 200, the four registers can be formed by a single direct access memory of 1024 bits, for example of the “Intel” type 2102. The circuit of figure 3 implements the expression wa'i mod m = w0a'i mod m + 2 wia'i mod m + 4 w; a ', modm + ... + 2k-'wk-! A' i mod m.

During the multiplication of w by a'i, when the rightmost bit, containing w "of register 51, is an I, the content of register 53 is added to register 54 by the adder 55. If w. . = 0, register P 54 is unchanged. The contents of registers M and P are then compared by the comparator 56 which determines the fact that the content of register 54 is greater than or equal to m, content of register 53. If the content of register 54 is greater than or equal to m, the subtraction circuit 55 removes ms from the content of register 54 and places the difference in the latter, whereas, when the content is less than m, register 54 remains unchanged.

Then, the content of the register W 51 is shifted by one bit to the right and a 0 is entered on the left so that the content 10 becomes 0wk-i Wk -: ... ... wawi, and w is ready for the calculation of 2wia 'mod m. The quantity 2a 'mod m is calculated for this purpose using the adder 55 which adds a' to its content, comparator 56 which determines whether the result 2a 'is less than m, and the subtraction circuit 57 which remove m from 2a 'if the result 15 is not less than m. The result 2a 'mod m is then stored in the register A' 52. The bit placed on the right, containing wi, in the register 51 is then examined as described above and the operation is repeated.

The operation is repeated a maximum of k times or until the register 51 contains only zeros, and at this time wa 'mod m is kept in the register 54.

We consider the problem of calculating 7 x 7 modulo 23, as an example. The following steps represent the successive content of the registers W, A 'and P which gives the response 7x7 25 = 3 modulo 23.

i W (binary)

0 00111

100011 30 2 00001

3 00000

A 'P

7 0

14 0 + 7 = 7

5 7 + 14 = 21

10 21+ 5 = 3 mod 23

FIG. 4 represents an adder circuit 42 or 55 intended to add two numbers p and z to kbits. The numbers 35 are presented bit by bit to the device, with the lower order bits first, and the delay element is initially set to 0 (the delay represents the binary carry). AND gate 61 determines that the carry bit is 1, when pi and zi are both 1, and AND gate 62 determines that 40 carry must be 1 because the previous carry was 1 and one of the parameters pi and zi is a 1. If one of these two conditions is satisfied, the OR gate 63 transmits a 1 indicating a carry-over to the next stage. The two dilemma gates 64 and 65 determine the iilime bit of the sum, Si, as being the 45 sum modulo 2 of pi, z \ and the carry bit of the preceding stage. The delay circuit 66 retains the previous carry bit. Examples of components suitable for AND gates and the delay circuit are given the references SN7400, SN7404 and SN7474.

50 FIG. 5 represents an example of comparator 44 or 56 of two numbers p and m. These two numbers are presented bit by bit, starting from the high order bits. If none of the outputs p <m and p> m were triggered after the last bits po and mo, then we have p = m. The first triggering of one of the 55 outputs p <m or p> m stops the comparison. The two AND gates 71 and 72 each have an inversion input (represented by a small circle). The SN7400 and SN7404 circuits constitute the totality of the necessary logic circuits.

FIG. 6 shows an example of a circuit 57 for request subtraction. As the numbers subtracted in the circuit of Figure 3 always give a difference which is not negative, the treatment of negative differences need not be considered. The largest number, which is the number to be subtracted from 65, is called p and the smallest number, which is the subtracted number, is called m. p and m are presented in series to circuit 57, from the low order bits. The AND gates 81 and 83, an OR gate 84 and a dilemma circuit 82 determine whether a

634,161

6

negative deduction is to be taken into account. Such negative withholding arises when p. = 0 and mi = 1 or when p. = mi, the negative reservoir from the previous floor. The delay circuit 85 retains the previous negative hold. The ii,; mc bit of the pi difference is calculated as the modulo 2 difference or the dilemma operation of pi, mi and the negative carry bit. The signal from gate 82 gives the modulo 2 difference between pi and mi, and dilemma gate 86 forms the modulo 2 difference between p. and mi, and the dilemma gate 86 forms the difference modulo 2 of the value obtained with the preceding negative carry bit. The components suitable for these doors and the delay circuit are components SN7400, SN7404 and SN7474.

FIG. 7 represents the device 16 for deciphering. It receives the encrypted text S and the decryption key comprising w, m and a ', and it must calculate x.

When calculating x, w and m are first introduced into a modulo m 91 inversion circuit which calculates w1 mod m. It then uses the multiplying circuit modulo m 92 for the calculation of S '= w-' S mod. m. As indicated in equations (7) and (8), S '= a' * x whose resolution in x is easy. The comparator 93 then compares S 'with a' n and decides that Xn = 1 if S 'ääa'n and quexn = Osi S' <a'n. If xn = 1, S 'is replaced by S'-a'n calculated by the circuit 94 of subtraction. If xn = 0, S 'is unchanged. The operation is repeated for a 'n-i and Xn-i and continues until the end of the calculation of x. The register j 95 is initially set to n and decreases by one unit after each stage of the deciphering process until j = 0 which causes the stopping of the operations and the meaning of the calculation of x. The subtraction circuit 94 or a down counter can be used for the regression of the content of the register 95. The comparator 96 can compare the content of the register 95 to 0 and can determine the moment of stopping operations. The modulo m 92 multiplier circuit is shown in more detail in Figure 3; the comparator 93 is shown in more detail in Figure 5 and the subtraction circuit 94 is shown in more detail in Figure 6. The modulo m inversion circuit 91 can be made from a well-known developed version of the Euclid's algorithm (as described for example in the work of D. Knuth, THE ART OF COMPUTER PROGRAMMING, vol. II, Addison-Wesley, 1969, Reading Ma., p. 302 and p. 315, problem 15). This book indicates that such a circuit requires 6 registers, a comparator, a divider circuit and a subtraction circuit. All these devices have already been described in detail, with the exception of the divider circuit.

FIG. 8 represents an apparatus intended to divide an integer u by another integer v and to calculate a quotient q and a remainder r such that 0 ^ r ^ v-1. First, u and v represented by binary numbers are loaded into registers U and V 101 and 102. Then, v, the contents of register 102, are shifted to the left until a 1 appears vk-i, the leftmost bit of register 102. The operation can be performed by using the complement of Vk-i for controlling the shift command of a shift register such as "Signetics" 2533, set initially at 0. The content of the up-down counter 103 is equal to the number of bits of the quotient, minus 1.

After startup, v, that is to say the content of register 102, is compared with the content of register U 101 by a comparator 104. If v> u, qn, the most significant bit of the quotient, is equal to 0 and u is left unchanged. If v ^ u, qn = 1 and u is replaced by u-v calculated by the circuit 105 of subtraction. In all cases, v is shifted by one bit to the right and the comparison v> u is repeated for the calculation of qn-i, the next bit of the quotient.

The operation is repeated, the counter 103 regressing by one unit after each repetition until it contains 0. At this time, the quotient is complete and the rest r is present in the register U 101.

For example, consider the division of 14 by 4 which gives q = 3 and r = 2 with k = 4 corresponding to the dimension of the register. As u = 14 = 1110 and v = 4 = 0100 in binary form, the register 101 is shifted to the left only once with the formation of v = 1000. After this operation, we see that v ^ u so that the first bit of the quotient qi = 1 and u is replaced by uv; v is replaced by itself shifted to the right by one bit, and the counter 103 returns to 0. This fact indicates that the last bit of the qotient qo is being calculated and, after the repetition in progress, the rest r is found in the U register. The following sequence of the contents of the register facilitates the understanding of these operations.

U V counter qi

1110 1000 1 1

0110 0100 0 1

0010 - stop

We note that q = 11 in binary form, equivalent to q = 3, and that r = 0010 in binary form, equivalent to r = 2.

Another method for forming a hatch bag vector a implements the fact that such a multiplicative problem posed by such a bag can be easily solved when the vector components are prime numbers between them. If a '= (6, 11,35,43, 169), and that a partial product is P = 2838, one easily determines that P = 6 * 11 * 43 because 6,11 and 43 are divisors of P but no 35 and 169. A multiplicative type bag problem is transformed into an additive type problem by using logarithms. Logarithms are calculated in the (finite) Galois domain GF (m) with m elements, m being a prime number. We can also use non-prime values for m, but the operations are somewhat more complicated.

A simple example makes it easier to understand. If n = 4, m = 257, a '= (2,3,5,7) and the base of the logarithms is b = 131, we obtain a = (80,183.81, 195). Thus, 13180 = 2 mod 257; J31 '83 = 3 m0 (j 2571 etc. The determination of logarithms in the domain GF (m) is relatively convenient when m-1 has only small prime factors.

When the deciphering device 16 receives S = 183 + 81 = 264, it uses the deciphering key D comprising m, a 'and b and it calculates:

S '= bsmodm = 13 1 264 mod 257 = 15 = 3 * 5

= a '^' a ^ 'aVa' * 0 which implies that x = (0,1, 1,0). Indeed,

t> S = * Xj)

= nb (a '* x, i

= ria'ixi mod m

However, it is necessary that:

not

ïla'iCm i - xj so that Fia7 i mod m is equal to fia '> Xi, in whole number arithmetic.

Spy 13 knows the encryption key E which includes the vector a but does not know the decryption key D and is faced with a problem that cannot be solved by calculation. The example given is still simple and simply illustrates

5

10

15

20

25

30

35

40

45

50

55

60

65

7

634,161

the technique used. When n = 100, if each a '. is a 100-bit random prime number, m has a length of about 10,000 bits, so that the equation (14) is satisfied. Although a data expansion of 100/1 is acceptable in some applications (for example the secure transmission of a key in an insecure channel), it is probably not necessary for an adversary to be as uncertain of the values a '.. We can also use the first n prime numbers for the a', and in this case n can be as short as 730 bits when n = 100, condition (14) being always satisfied. As a result, there is a possible trade-off between security and data expansion.

In this embodiment, the encryption device 15 has the configuration shown in detail in FIG. 2 and described above. The deciphering device 16 of the second embodiment is shown in detail in FIG. 9. The encrypted text S and part of the deciphering key D, namely b and n, are used by the exponential processing circuit 111 for the calculation of P = bs mod m. As indicated by equations (12) to (14) and in the example, P is a partial product of {a,}, which is also part of the decryption key D. The divider circuit 112 divides P para'i for i = 1,2,3, ... n and it transmits only the remainder ri to the comparator 113. When ri = 0, a 'i is an integer divider of P and x. = 1. If n ^ 0, Xi = 0. The divider circuit 112 can be produced as shown in detail in FIG. 8 and described previously. The comparator 113 can be of the type shown in FIG. 5 and described in detail; however, more efficient devices exist for comparing to 0.

The exponential processing circuit 111, intended to bring b to the power S modulo m, can be in the form of the electronic circuit of FIG. 10. The latter represents the initial content of three registers 121, 122 and 123. The binary representation of S (Sk-i st -: ... sis ") is loaded in the register S 121,1 is loaded in the register R 122, and the binary representation of b is loaded in the register B 123 corresponding to i = 0. The number of bits k in each register is the smallest integer such as 2k> m. When k = 200, the three registers can be formed by a single 1024-bit direct access memory of the “Intel” type 2102. The circuit 124 for multiplying two modulo numbers m has been described with reference to FIG. 3.

We now refer to FIG. 10 and note that, when the lower order bit containing s ", in the register 121, is equal to 1, the contents of the registers Ret B 122 and 123 are multiplied modulo m and the product , which is also a k-bit quantity, replace the content of register 122. When Su = 0, the content of register 122 remains unchanged.

In all cases, the register 123 is then loaded twice into the multiplier circuit 124 so that the square modulo m of the content of the register 123 is calculated. This value b ':' + i) replaces the content of register 123. The content of register 121 is shifted one bit to the right and a 0 is shifted to the left so that the content is then osk-isk- :. .. s2si.

The lower order bit, containing if, in register 121 is examined. It is equal to 1, as previously, the contents of the registers 122 and 123 are multiplied modulo m and the product replaces the content of the register 122. When the lower order bit is equal to 0, the content of the register 122 remains unchanged. In all cases, the content of register B 123 is replaced by the square modulo m of the preceding content. The content of register S 121 is shifted by one bit to the right and a 0 is placed on the left so that the content is then 00sk-i Sk-2. . . S3S2.

The operation continues until register 121 contains only zeros and the value of bs modulo m is then kept in register 122.

An example is useful for understanding the operation. If m = 23, we determine k = 5 from 2k ^ m. If b = 7 and S = 18, we abs = 718 = 1628413597910449 = 23 (70800591213497) 4-18 so that nbsulo m is equal to 18. This direct but laborious method of calculating b * modulo m is used for verification showing that the method implemented in the circuit of FIG. 10, described below, gives the suitable result. The contents of registers 122 and 123 are represented in decimal form to facilitate understanding.

i

S (binary)

R

B

0

10010

1

7

1

01001

1

3

2

00100

3

9

3

00010

3

12

4

00001

""

6

5

00000

18

13

The line marked i = 0 corresponds to the initial content of registers S = 18, R = 1 and B = b = 7. Then, as described above, since the right bit of register 121 is a 0, the content of register 122 remains unchanged, that of register 123 is replaced by the modulo square 23 of the previous content (72 = 49 = 2 x 23 + 3 = 3 modulo 23), the content of register 121 is shifted one bit to the right and the operation continues. It is only when i = 1 and 4 that the right bit of the content of register 121 is equal to 1 so that it is only when passing dei = Ià2eti = 4à5 that the content of register 122 is replaced by RB modulo n. When i = 5 = S = 0 so that the operation is finished and the result 18 is in the register 122.

It should be noted that one obtains the same result 18 as in the direct calculation of 718 modulo 23, but in the latter case, one never deals with large numbers.

We could understand the process in another way: we note that the register B 123 contains b, b2, b4, b8 and b16 when i = 0,1,2,3 and 4 respectively, and that b'8 = b16b2, so that only these two values need to be multiplied.

The key generator 22 used in the second embodiment is shown in detail in FIG. 11. A table of n small integers pi is formed and stored in the source 131 which can be a passive memory, for example “Intel” 2316 E. The key source 26, as previously described, creates random numbers ei. The small prime numbers of the source 131 are each brought to a different power, represented by a random number ei coming from the key source 26, by the exponential processing circuit 132 which forms piei for i between 1 and n. The multiplier circuit 133 then calculates the product of all the values pie 'which can be represented by flpi'. The product of all pic'i, A piei is then increased by one unit in the adder

134 which creates the potential value of m. If m must be prime, the potential value of m can be checked by the device

135 for checking prime numbers.

The devices intended to verify that a number m is prime, when the factorization of m-1 is known (because in this case m-1 = lì piei), are well known in the art, ■ as described for example in work by D. Knuth, THE ART OF COMPUTER PROGRAMMING (vol. II, Seminumerical Algorithms, p. 347-48). As described in this work, the device 135 for verifying prime numbers must simply comprise a device intended for putting various numbers at various powers modulo m,

s

10

15

20

25

30

35

40

45

50

55

60

65

634,161

8

n— 1 (25)

xi = Y. bj2J

j = i as described with reference to figure 10. When an easier value when we note that, at the beginning of the iemc loop, we have potential of m is determined as being prime, it m = (p— 1) / 2i + 1 (23)

is transmitted by the public key generator of FIG. 11,

as the parameter m. The elements a'i of the vector to 'and can then be chosen so that they are the n small s z _ ax, (moc} p) (24)

prime numbers pi from source 131.

The base b of the logarithms is then chosen as one with a random number, by the source 26.

The elements of vector a are calculated by the logarithmic converter 136 in the form of logarithms based on b of the elements of vector a 'in the domain GF (m). The operation and structure of the logarithmic converter 136 are thus, when z is brought to the same power, we obtain:

described below.

We know that, when p is prime, we have: zm _ au, m> = a [ip-n.:i. o. |. 2h zf ~! = 1 (modp), 1 ^ Zf £ p ~ '(15)

= (—1) * '2 = (—l) h | (modp) (26)

As a result, the arithmetic processing, in the exponent,

corresponds to modulo p— 1 and not to modulo p. So, so that zm = 1 (mod p) if and only if b. = 0, and zm = - 1

20 (mod p) if and only if bi = 1.

z * = zs "m, <| p - '> (In0dp) (16) For example, consider p = 17 = 24 + l.a = 3 is a

primitive element (a = 2 is not a primitive element because 2S = for all integers x. 256 = 1 modulo 17). If y = 10, the algorithm calculates x of the

The algorithm for calculating the modulo p logarithms appears as follows (note that ß = x-1 = 6 because better when considering the particular case p = 2n + 1. 253x6 = 18 = 1 modulo 17):

We know a, p and y, a being a primitive element of GF (p) and we must determine x such that y = a "(mod p). We can assume O ^ Xîip — 2 since x = p — 1 cannot not be distinguished from x = 0.

When p = 2n + 1, x o is easily determined by determining the binary expansion {bo, ..., bn-i} of x.

The least significant bit bo of x is determined by setting y to the power (p —1) / 2 = 2 "- ', and by using the rule:

, i u _0 35 nable because a3 = 33 = 27 = 10 (mod 17).

y'f - ", :( modp) = {_j'b ^ _ j (17)

We can generalize this algorithm to arbitrary prime numbers p. Yes

This fact is established because we note that. since a is a primitive element. 40 p - 1 = pn'p "2 ... pk" k, pi> p. + I (27)

a'p-'i - = - l (mod p) (18)

is the prime factorization of p - 1, the components

and consequently: health pi are distinct prime numbers and the values of

45 ni are positive integers. The value of x (mod pi "')

yip — n: = = (- l) * (modp) (19) is determined for i = 1, ... k and the results combined by the Chinese remainder theorem give:

The next development bit of x is then determined by ^

use of relationships:. , not. ,,

sßx (mod n pi '= x (modp-l) = x (28)

z = y "_b" = axi (mod p) (20) 1 '

since O ^ x ^ p — 2. This theorem can be implemented in n — I 0 (k logzp) operations in 0 (k log: p) bits of memory (on b'2 '(21) counts a multiplication modulo p as being an operation-

i = 1 55 tion).

i

Z

ß

m

W bi

0

10

6

8

16 1

1

9

i

4

16 1

2

1

4

i

1 0

3

1

16

1

1 0

4

1

1/2

We thus see that x =

2 "+2 '

= 3. This relation is suitable

Xi

It thus appears that xi is a multiple of 4 if and only if

We consider the following expansion of x (mod pi "), n — 1

bi = 0. If bi = 1, x; is divisible by 2 but not by 4. The x (modpn ') = £ bjpi' (29)

above reasoning allows the determination of: 1 j = 0

60

• H, bi = 0 with O ^ bj ^ pi— 1.

zp ~ '4 (mod p) = {_j'j3i _ j (22) The least significant coefficient bo is determined by setting y to the power (p — l) / pi,

yip-n p. = a'p- "Pi = yi * = (yì) b ° (mod p) (30)

The remaining bits of x are determined analogously. 65 with the algorithm is schematically represented by the flowchart in Table I.

The understanding of the flowchart of figure 12 is Y '= and "1-" ^ (mod p) (31)

9

634,161

which is a primitive root pûème of unity. There are therefore only pi possible values for y ^ - "^ (mod p) and the resulting value uniquely determines bu.

The following figure bi, in the basic development pi of x (mod pini), is determined using the relation z = y • a b "= aX | (mod p), n — 1

with xi = Y. bipiJ

j = l

(32)

(33)

10

If we then bring z to the power (p - 1) / pi2, we obtain: Z'p-D-Pj- = „(p- j j.xi / p, 2 = y," 1- Pi = (y,) bi (mod p)

(34)

there are still only pi possible values of z, p '' 'pi: and this value 20 determines bi. The operation is continued for the determination of all the coefficients b ,.

The flowchart in Figure 13 summarizes the algorithm for calculating the development coefficients (bi) (29). This algorithm is used k times for the calculation of x (mod pïni) for 25 i = 1, 2,3 ... k and the results are combined by the Chinese remainder theorem to obtain x. The function gi (w) of table 11 is determined by the relation of the Chinese remainder or can note that x = 8 or x = 8 + 9 = 17 and 17 only is odd). As a check, we can see that 217 = 131 072 = 10 (mod 19), so that y = ax (modp).

We note that the logarithmic converter requires a modulo p inversion circuit for the calculation of ß = a-1 (mod p). As already indicated, the operation can be carried out in the developed form of the Euclidean algorithm which requires the use of a divider circuit of the type represented in FIG. 8, of a multiplier circuit of the type of FIG. 3 and the comparator of FIG. 5. The logarithmic converter also requires the divider circuit of FIG. 8 (for the calculation of the successive values of n), the adder of FIG. 4 (for the progression of j), the processing circuit exponential modulo p of figure 10 (for the calculation of W and ßbJ and for the preliminary calculation of the table of gi (w)), the multiplier circuit modulo p of figure 3 (for the calculation of the successive values of Z) and the comparator of FIG. 5 (for the determination of the moment when j = Ni). The use of the logarithmic converter according to the Chinese rest theorem only requires devices that have already been described (multiplier circuits in Figure 3 and modulo m inverter).

According to the first method of forming a hatch vector, a very difficult problem involving a vector is transformed into a very simple and very easily soluble problem, concerning a ', implementing the transformation:

have

1 / w * ai mod m

(36)

'= w (mod p), 0 g. (w) ^ pi— 1

(35)

30

for which y is defined by the relation (31).

When all the prime factors {pi} jv, of p - 1 are small, the functions gi (w) can be easily used in the form of tables, and the calculation of the logarithm in the domain GF (b) requires 0 (log: p ) ;: operations and a minimum quantity of memories for the gi (w) function tables. The predominant calculation criterion relates to the calculation of w = z "which requires 0 (log: p) operations. This loop is traversed

35

A bag problem involving a can thus be solved because it is convertible into another problem involving a 'and which is soluble. It should be noted, however, that the reason why bag problems involving a 'are soluble is of little importance. Thus, instead of the criterion according to which a 'must satisfy equation (1), one can fix a criterion according to which a' must be transformable into another problem of bag implying a ", by transformation of the type:

a "i = 1 / w '* a'i mod m'

(37)

times and, when all the values of pi are small,

i = 1 k

Y ni is approximately equal to log: p. So when p-1

r = 1

has only small prime factors, calculating logarithms in the GF (p) domain can be easy.

In an example, we consider p = 19, a = 2, y = 10. We then have p— 1 = 2.32 and pi = 2, ni = 1, p: = 3 and n; = 2. The calculation of x (mod pi "1) = x (mod 2) requires the calculation of y '

p-ii pi =

cc "= 512 = 18 (mod 19), so that bi = 1 etx

(mod 2) = 2 "= 1 (that is to say x is odd). The flowchart of figure 13 is crossed again for p: = 3, n: = 2, and we obtain ß = 10, because 2x = 20 = 1 modulo 19; in addition, y: = a6 = 7 and 7 ° = 1.7 '= 7, et7: = 11 (mod 19) and g: (l) = 0, g2 ( 7) = 1 and g :( 11) = 2.

Z

B

n d

W

bj

10

10

6

0

11

2

12

12

2

1

11

2

18

18

2/3

2

so that x (p mode: ":) = x (mod9) = 2.3n + 2.3 '= 8.

Knowing x (mod 2) = 1 and x (mod 9) = 8 implies that x (mod 18) = 17. (We can use the theorem

40 a "satisfying equation (1) or being easily solved elsewhere. After carrying out the transformation twice, its implementation a third time does not pose any problem; in fact, it appears that this process can be repeated as often as desired.

45 With each successive transformation, the structure of the vector known to the public becomes more and more obscure. The simple problem of the bag is quantified essentially by repeated application of a transformation which preserves the fundamental structure of the problem. The end result a so appears as a collection of random numbers. The fact that the problem can be easily resolved has been completely hidden.

The original and easily determined vector of the bag problem can satisfy any condition, such as condition (1) 55 which guarantees its easy resolution. Thus, it may be a problem of a multiplicative type hatch bag. In this way, the two types of hatch method can be combined in the form of a single method, the determination of which is still probably more difficult. 60 It is important to consider the growth rate of a because this determines the development of the data involved in the transmission of the vector x with n dimensions in the form of the larger quantity S. The growth rate depends on the selection process of the numbers, 65 but, during a “reasonable” implementation with n = 100, each component ai has a dimension greater than the maximum of 7 bits than the corresponding component a 'i, each a' i having at most 7 bits of more than the

634,161

10

component a "., etc. Each successive step of the transformation increases the dimension of the problem but only by a small fixed quantity. If the transformation is repeated 20 times, a maximum of 140 bits are added to each ai. Thus, if each a has a length of 200 bits at the beginning, only 340 bits are needed after 20 stages. The vector solution of the bag problem for n = 100 therefore has at most a dimension of 100 * 340 = 34 kilobits.

Usual digital authentication circuits provide protection against forgery by an outside party, but they cannot be used for the settlement of disputes between the sender 11 and the receiver 12, concerning the fact that a possible message has been transmitted. A true digital signature is also called a receipt because it allows the receiver 12 to prove that a particular message M has been sent to him by the sender 11. The hatch bag problems can be used for the creation of such receipts in the manner next.

If each message M of a wide fixed range has an inverse image x, it can be used for the formation of receipts. The sender 11 creates hatch bag vectors b 'and b such that b' is a secret key, for example a bag vector whose solution is easy, b being a public key, for example obtained by the relation:

bi = w * b'.modm (38)

The vector b is then either placed in a public file, or sent to the receiver 12. When the sender 11 can transmit a receipt for the message M, it calculates and transmits x such that: b * x = M. The sender It creates x for the desired message M by solving the problem of the bag which can be easily resolved.

M '= 1 / w * M mod m (39)

= l / w * £ xi * bimodm (40)

= l / w * Xxî * w * b'imodm (41)

=] Fxi * b'imodm (42)

The receiver 12 can easily calculate M from x and, by checking a domain indicating a date and a time (or any other redundancy in M) determines the fact that the message M was authentic. As the receiver 12 cannot create such a vector x since he must know b 'that only the sender 11 has, the receiver 12 keeps x in the form of a proof of the sending of the message M by l sender 11.

This method of forming receipts can be modified so that it is used when the density of solutions (fractions of messages M between 0 and bi having solutions for b * x = M) is less than 1, provided that it does not is not too weak. The message M is transmitted in clear or in encrypted form as indicated above when espionage poses problems, and a sequence of unidirectional functions connected yi = Fi (M), y: = F: (M), ... is calculated. The sender 11 seeks to obtain an inverse image x for y i, y:, ... until he determines one and adds the x corresponding to the message M in the form of a receipt. The receiver 12 calculates M '= b * x and verifies that M' = y ;, i being within an acceptable range.

The sequence of unidirectional functions can be as simple as

Fi (M) = F (M) + i (43)

or

F, (M) = F (M + i) (44)

when F (*) is a unidirectional function. The range of functions F (*) must have at least 2100 values for empirical falsification attempts to fail.

The message and the receipt can also be combined in the form of a single message-received set. When the acceptable range for i is between 0 and 2'-1 and when the message has a length of J bits, a number unique to J + 1 bits can represent the message and i. The sender 11 verifies a solution of b * x = S for each of the 21 values of S obtained when for example the first J bits of S are made equal to the message and the last I bits of S are free. The first solution x obtained is transmitted to the receiver 12 in the form of the message-received. The receiver 12 obtains S by calculating the scalar product of the public key D and of the message-received combination x, and he keeps the first J bits of S thus obtained. The authenticity of the message is validated by the presence of an appropriate redundancy in the message, either a natural redundancy when the message is expressed in normal language such as French or English, or an artificial redundancy, for example obtained by adding d 'a date and time domain to the message.

Redundancy, considered in this memoir, has the known meaning in information theory (Claude E. Shannon, "THE MATHEMATICALTHEORYOF COMMUNICATION", Bell System Technical Journal, vol. 27, p. 379 and 623.1948) and in complexity theory (Gregory J. Chaitin "ON THE LENGTH OF PROGRAMMS FOR COMPUTING FINITE BINARY SEQUENCES", Journal of the Association for Computing Machinery, vol. 13, p. 547, 1966) for the measurement of structure in a message (deviation from complete unpredictability and randomness). A message source does not have redundancy only when all the characters appear with equal probabilities. If one can guess the characters of the message with a better chance of success than in a purely random case, the source has redundancy and the speed at which a hypothetical player can increase his fortune is the quantitative measure of redundancy, as described in the report by Thomas M. Cover and Roger C. King, "A CONVERGENT GAMBLING ESTIMATE OF THE ENTROPY OF ENGLISH", Technical Report * 22, Statistics Department, Stanford University, November 1, 1976. Humans can easily validate the message by a redundancy check (for example by determining that the message is expressed in a suitable grammar in French). The simulation of the player's situation allows a machine to validate whether a message has or not the redundancy suitable for the claimed source.

Part of the decryption key D may be known to the public and not secret, provided that the part of D which is not disclosed prevents spy 13 from obtaining the message X in clear text.

In certain applications, it may be advantageous for the i'th recipient to create a hatch bag vector a (i) as indicated above, and place this vector or an abridged representation of this vector in a public file or in a directory. Then, a sender who wants to establish a secure communication channel uses a (i) as a decryption key for transmission to the i-th receiver. The advantage is that this second recipient, when he has proved his identity to the sender by using his driving license, his fingerprints, etc., can prove his identity to the sender by his ability to decipher the data encrypted using the key a (i).

s

10

15

20

25

30

35

40

45

50

55

60

65

B

8 sheets of drawings

Claims (2)

634,161 2 CLAIMS 1. Apparatus for decrypting an encrypted message received by an insecure communication channel (19) comprising a device (32) connected to receive the message which is encrypted by an encryption transformation in which a message which must be kept secret is transformed by a public encryption key (E), as well as a decryption device (16) which comprises a device (91, 92) for receiving a secret decryption key (D) for producing the message by reversing the transformation of encryption, and which comprises a generator of the message (93, 94) having an input connected to receive the inverse of the encrypted message and an output for producing the message, the secret decryption key (D) being unable to be produced by calculation from of the public encryption key (E), and the encryption transformation which cannot be reversed by calculation, in the absence of the secret decryption key (D), characterized in that the device for inverting the chi transformation ffrage includes a device (91,92) for calculating: S '= l / w * S mod m and being represented by b, m and a '; a 'being a vector with n dimensions whose components a', are numbers having no common multiple; S 'being the inverse of the encrypted message determined by the encryption transformation: s S = a * x the message being represented by a vector x, with n dimensions, of which each component xi is equal to 0 or 1; the public key io (E) of encryption being represented by the vector a, with n dimensions, the components of which are such that: ai = logb a 'i mod m for i = 1,2, ... n. îs 3. Use of the apparatus according to claim 1 or 2 in an installation for transmitting encrypted messages from a sender to a receiver via an insecure communication channel using a public encryption key and a secret decryption key. 20 the message generating device comprises a device (93, 94) for establishing the x values. equal to the whole part of: not S'-I j-i + 1 Xj * a'i / a ', for i = n, n— 1, ... 1 m and w being high whole numbers and w being able to be inverted modulo m; S 'being the inverse of the encrypted message S, determined by the encryption transformation S = a * x the message being represented by a vector x with n dimensions of which each component xi is an integer ranging between 0 and /; / being an integer, the public encryption key (E) being represented by a vector a, with n dimensions, the components of which are such that: a, = (w * a'j mod m) + km for i = 1,2, ... n k and n being whole numbers and the secret decryption key (D) being formed of m, w and a '; a 'being a n-dimensional vector whose components are such that: i — 1 a'i> / Y. aj for i = 1,2, ... n. j = l 2. Apparatus according to claim 1, characterized in that the device for reversing the encryption transformation comprises a device (92) for calculating: S '= bsmodm and the device generating the message comprises a device (93) intended to fix xì = 1, if and only if the quotient of S' by a. is an integer, and fix Xi = 0, if this quotient is not an integer; b and m being high integers and m being a prime number such that: m> not 7t i = 1 a'i n being an integer, and the secret decryption key (E)